Security for server-side scripts

All editions of Adobe Media Server support features that protect your content from being stolen and misused. Some features, such as true streaming, are intrinsic to the server and don’t need to be configured. Other features, such as enhanced RTMP (RTMPE), can be configured or disabled using XML configuration files. Still other features, such as controlling read and write access to specific server folders, can be custom built using client-side ActionScript and Server-Side ActionScript.

For a definitive guide to Adobe Media Server security, see Hardening guide for Adobe Media Server in the Adobe Developer Center.

Limiting script memory usage

In the ScriptEngine section of the Application.xml configuration file, you can limit the amount of memory that can be used by Server-Side ActionScript on the virtual host.

You can also configure other aspects of the JavaScript (Server-Side ActionScript) engine, such as how often garbage collecting occurs, the maximum amount of time a function can take to execute, and the script library path.

For more information about editing configuration files, see Working with configuration files. For more information about configuring the script engine, see ScriptEngine.

Loading a script securely

The Adobe Media Server script security model enables administrators to limit the exposure to potentially malicious or buggy third-party code that may be included on the server side. The script security model is not designed to detect or prevent error conditions such as an infinite loop in third-party code, but it is useful for preventing or limiting certain potentially dangerous functionality, such as the ability to make arbitrary connections, or read or write file objects.

Script security can be very valuable when building dynamically extensible applications that load and evaluate code from external sources.

When an application is started, the server looks in the application’s folder for a secure.asc file. If the file exists, the server loads it. During this period of time, it makes the protectObject() and getGlobal() methods available. Use these methods to manipulate global functions, classes, and objects in a way that is not possible during normal application execution. The getGlobal() method provides access to the global object from the secure.asc file while the file is loading. The protectObject() method prevents application code from accessing or inspecting the methods of an object directly. You can only use the protectObject() method in the secure.asc file. Once the server is done loading the secure.asc file, these methods are unavailable. Then the server loads the main.asc file and other scripts in the normal manner.

For more information, see Adobe Server-Side ActionScript Language Reference.